Don't forget the colon...
> alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024:
>
According to the example in the snort manual this means any port equal
to or greater than 1024, 43844 > 1024.
"log tcp any :1024 -> 192.168.1.0/24 500:
log tcp traffic from privileged ports less than or equal to 1024
going to ports greater than or equal to 500
"
Regards,
Will